Humana Breaches Reflect Chronic Credential Theft in Healthcare

A series of 2018 cybersecurity incidents shows credential stuffing is a trend to watch among healthcare organizations.

On Oct. 25, 2018, Bankers Life informed Humana of "unusual activity" affecting its systems. This was among the last breaches Humana disclosed in 2018 but far from the first.

Bankers Life, which does business with the health insurance company, first noticed suspicious activity on Aug. 7, 2018. An investigation with an external forensics investigator revealed that an unknown, unauthorized actor obtained system credentials for Bankers Life employees and gained access to websites where people can log in to apply for Humana healthcare policies, the company recently disclosed.

Investigators found the breach affected consumer insurance applications and data within them, including their birthdates, addresses, last four digital of Social Security numbers, and insurance-related data (policy or application numbers, type and cost of coverage, for example). The intruder had access to the data from May 30 through Sept. 13, officials report.

"What is alarming are the timelines of the attack, which show that the attack ran from May through to September," says Garrett O'Hara, principal consultant at Mimecast. "This is not unusual, but does raise questions around what activity was happening in the background."

This incident did not compromise full Social Security numbers, banking or credit card data, or any information about individuals' health or medical care, Humana explained in its breach disclosure. Bankers Life is offering a year of free identity repair and credit monitoring services, and "took steps to further restrict and monitor access to its systems and enhance additional security procedures, including additional training for certain employees," the company said.

"Based on the current reporting, this breach appears to be pretty typical," says Matthew Gardiner, security strategist at Mimecast. "In many cases, the attacker doesn't even know what they are going to do with the stolen data until they steal and evaluate it." It's common, he adds, for cybercriminals to steal data before looking for secondary black market to sell it into.

Credential Compromise is Chronic

Credential-harvesting attacks have become one of the most prevalent attack types not only in healthcare, but for all organizations, says Gardiner. However, because of legal requirements to report breaches, disclosures disproportionally appear in public from healthcare firms. The rise in online applications, combined with single authentication factors, makes credential theft "a natural stepping stone for cybercriminals" and results in these types of cyberattacks, he adds.

The Bankers Life incident wasn't the first incident of credential stuffing for Humana in 2018. This summer brought a phishing attack to Family Physicians Group (FPG), a firm Humana acquired in April and one of the largest healthcare providers for Medicare and Medicaid patients in Central Florida, as per HIPAA Journal, which says FPG has 22 clinics in the area.

Similar to the Bankers Life incident, this one involved compromised credentials. Investigators analyzing the FPG attack learned an intruder broke into an employee's email account with credentials they were given when an employee responded to a phishing message. The actor(s) broke into the account on Aug. 7, 2018 and continued to have access to it until Aug. 21.

In total, the FPG attack exposed the data of 8,400 patients. Affected information did not include financial data or Social Security numbers. It did include names, birthdates, physicians' names, and health insurance information. FPG so far has no indication the data was abused but had employees change their passwords and took steps to protect email accounts from phishing.

Humana also notified members of a credential-stuffing incident in early July following an attack on Humana.com and Go365.com. In early June, the company detected a "significant increase" in secure login errors after several attempts to log into both Humana and Go365 from foreign countries. Its security operations team blocked the intruding IP addresses on June 4, 2018.

The volume of attacks indicated a "large and broad-based automated attack," reported Jim Theiss, Humana's chief privacy officer, in a letter dated June 21. It seems the attacker had a large amount of user IDs and passwords, and was attempting to see which combinations were valid. The amount of failures shows the ID/password combos didn't come from Humana.

What to Do About It

Dr. Asem Othman, team lead for biometric science at Veridium, says health credentials are worth more than other credentials on the Dark Web. The Bankers Life/Humana breach demonstrates how priviliged access management, like database access, needs to be carefully managed with stronger authentication requirements and approval from administrators and/or supervisors.

Biometric authentication is making its mark in healthcare, says Dr. Othman. For example, patients seek touchless biometrics like FaceID and fingerprint logins. In some operating rooms, periocular (a scan of the eye area) and voice can both prove useful. "Replacing passwords with biometrics will ensure secure yet convenient access to health and insurance records, and provide true identity authentication, preventing leaks of PII as seen in the Bankers Life breach."

While investment in technology for protection is crucial, says O'Hara, people will continue to be weak points in security as both sophisticated and simple social engineering attacks give attackers access to credentials. The value of healthcare data, combined with "traditionally limited budgets" for healthcare's IT and security teams, increases the appeal to attackers.

"The huge downward pressure to do more with less will see legacy medical systems, often out-of-date and unpatched, being used as a stepping stone into more lucrative systems," he adds.

Because of this, he strongly advises end-user education programs to help employees both understand cybersecurity and become invested in protecting the company they work for. Regular and relevant education, while difficult, can help get through to employees.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

And include C-SUITE EDUCATION too - management has to understand the significance. Generally does not. Users are the front line of infections - one lady brought down North Carolina through an infected attachment. But management has to give this subject the respect and budget it deserves. Why? Equifax. Case closed.

Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.

An exploitable vulnerability exists in the verified boot protection of the Das U-Boot from version 2013.07-rc1 to 2014.07-rc2. The affected versions lack proper FIT signature enforcement, which allows an attacker to bypass U-Boot's verified boot and execute an unsigned kernel, embedded in a legacy i...